AttackFlow Findings Dictionary

Finding A Way To Try AttackFlow Enterprise Edition?

If so, click to download 15 days full version for free!

Disabled Event Validation

The attacker can tamper HTTP parameters and manipulate the right flow of the application bypassing controls, licenses, authorization controls, etc.

Severity

High

Fix Cost

Low

Trust Level

High

Parameter manipulation is one of the first things that attackers try against a web application to force them to process unexpected values. For example, a combobox component (a DropDownList for example) that has list of cities will be expected to contain only the valid pre-populated cities. The list of cities will be populated at the server side and will be reflected back to user agent for a selection. The end user’s selected value that is sent back should be one of the valid cities. The attacker on the other hand can send any value instead including the attack strings, such as sql injection or cross site scripting, etc.

ASP.NET has an event validation property that prohibits this unlawful behaviour. The rendered good values at the server side is kept as an HTML hidden field;

            
<input type="hidden"
name="__EVENTVALIDATION"
id="__EVENTVALIDATION"
value="..." />
                 
            

It may seem logical to disable event validation, for instance, when client side code updates the component’s prepopulated values dynamically. When the user selects the new value and sends it back to the server, the event validation will fail and the request gets rejected.

                 
<system.web>
<pages enableEventValidation="false" />
</system.web>
                 
            

The event validation can also be disabled in aspx pages individually;

                
<%@ Page EnableEventValidation="false" ... %>
                
         

Finding A Way To Purchase AttackFlow Enterprise Edition?

If so, click to buy now for yearly subscriptions!